HOOK 改变API函数行为
来源:互联网 发布:js回调函数是什么意思 编辑:程序博客网 时间:2024/06/06 03:39
//////////////////////////////////////////////////////////////////////////
//ioctl.h --该文件只存放IOCTL代码,可复用于win32工程
#ifndef IOCTL_H_
#define IOCTL_H_
#define IOCTL_SETVALUEKEY /
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x830, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_MGRVISIT /
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x831, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_HOOKON /
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x832, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_HOOKOFF /
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x833, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_ADDARUL /
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x834, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_REMOVEARUL /
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x835, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_DELALLRULS /
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x836, METHOD_BUFFERED, FILE_ANY_ACCESS)
#endif
//////////////////////////////////////////////////
// KeHookReg.h文件
#ifndef KeHookReg_H_
#define KeHookReg_H_
//设备名称和符号连接名称
#define DEVICE_NAME L"//Device//devKeHookReg"
#define LINK_NAME L"//??//slKeHookReg"
#define NOTIFY_EVENT L"//BaseNamedObjects//KeRegNotifyEvent"
//驱动入口
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDrvObj,
IN PUNICODE_STRING pRegistryPath
);
//驱动卸载
VOID
DriverUnload(IN PDRIVER_OBJECT pDrvObj);
//处理Win32的Create
NTSTATUS
DispatchCreate(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp);
//处理Win32的Close
NTSTATUS
DispatchClose(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp);
//处理IOCTL
NTSTATUS
DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
typedef unsigned int UINT;
typedef char CHAR;
typedef char * PCHAR;
typedef PVOID POBJECT;
//定义服务描述表
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
extern PServiceDescriptorTableEntry KeServiceDescriptorTable;
#define SYSCALL(_function) KeServiceDescriptorTable->ServiceTableBase[*(PULONG)((PUCHAR)_function+1)]
typedef NTSTATUS (*ZWSETVALUEKEY)
(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
ZWSETVALUEKEY OldZwSetValueKey;
NTSTATUS HookZwSetValueKey
(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
VOID
AllHookOn();
VOID
AllHookOff();
typedef NTSTATUS (*REALZWCREATEFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength);
REALZWCREATEFILE OldRealZwCreateFile;
NTSTATUS HookZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength);
NTSYSAPI
NTSTATUS
NTAPI ObQueryNameString
(POBJECT Object, PUNICODE_STRING Name, ULONG MaximumLength, PULONG ActualLength);
NTSYSAPI
NTSTATUS
NTAPI ObQueryNameString
(POBJECT Object, PUNICODE_STRING Name, ULONG MaximumLength, PULONG ActualLength );
POBJECT GetObjByHandle(HANDLE handle);
VOID FreeObj(POBJECT pObj);
BOOLEAN GetFullName(POBJECT pObj,PCHAR pch);
BOOLEAN GetDeteRel(ULONG uTID);
#endif
//////////////////////////////////////////////////
// 该文件由KSDriverWizard生成
//KeHookReg.cpp文件
#include "ntddk.h"
#include "kedef.h"
//#include "keylist.h"
#include "KeHookReg.h"
#include "ntoskrnl.h"
#include "ioctl.h"
//VisitData * g_visitData;
//DeteData * g_deteArray;
//PKMUTEX g_setValueKeyMutext;
//HANDLE hNotifyHandle; // 事件对象句柄
//PKEVENT NotifyEvent; // 用户和内核通信的事件对象指针
//PKEVENT pDeteEvent;
BOOLEAN bHookOn = FALSE;
// 驱动程序加载时调用DriverEntry例程
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrDevName;//设备名称
UNICODE_STRING ustrLinkName;//符号连接名称
// UNICODE_STRING ustrNotifyEvent;
PDEVICE_OBJECT pDevObj = NULL;
DbgPrint("KS:DriverEntry.../n");
RtlInitUnicodeString(&ustrDevName,DEVICE_NAME);
RtlInitUnicodeString(&ustrLinkName,LINK_NAME);
// RtlInitUnicodeString(&ustrNotifyEvent,NOTIFY_EVENT);
//初始化各个例程
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
//创建设备
status = IoCreateDevice(
pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
//创建设备失败
if (!NT_SUCCESS(status))
{ return status; }
status = IoCreateSymbolicLink(&ustrLinkName,&ustrDevName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevObj);
return status;
}
// initList();
// NotifyEvent = IoCreateNotificationEvent(&ustrNotifyEvent, &hNotifyHandle);
// if (NotifyEvent==NULL)
// DbgPrint("Create notify event error!");
// // 设置它为非受信状态
// KeClearEvent(NotifyEvent);
// g_deteArray = ExAllocatePool(NonPagedPool,sizeof(DeteData)*256);
// if (g_deteArray==NULL)
// return STATUS_DATA_ERROR;
// g_visitData = ExAllocatePool(NonPagedPool,sizeof(VisitData));
// pDeteEvent = ExAllocatePool(NonPagedPool,sizeof(KEVENT));
// g_setValueKeyMutext = ExAllocatePool(NonPagedPool,sizeof(KMUTEX));
// KeInitializeEvent(pDeteEvent,NotificationEvent,FALSE);
// KeInitializeMutex(g_setValueKeyMutext,0);
// KeClearEvent(pDeteEvent);
AllHookOn();
return STATUS_SUCCESS;
}
VOID
DriverUnload(
IN PDRIVER_OBJECT pDrvObj
)
{
PDEVICE_OBJECT DevObjTmp1=NULL;
PDEVICE_OBJECT DevObjTmp2=NULL;
UNICODE_STRING ustrLinkName;
DbgPrint("KS:Driver Unloading");
if (bHookOn==TRUE)
{
AllHookOff();
}
// KeSetEvent(NotifyEvent, 0, FALSE);
// delList();
// ExFreePool(g_deteArray);
// ExFreePool(g_setValueKeyMutext);
// ExFreePool(pDeteEvent);
// ExFreePool(g_visitData);
RtlInitUnicodeString(&ustrLinkName,LINK_NAME);
//删除符号连接
IoDeleteSymbolicLink(&ustrLinkName);
//删除设备对象
if (pDrvObj)
{
DevObjTmp1=pDrvObj->DeviceObject;
//删除设备
while (DevObjTmp1)
{
DevObjTmp2=DevObjTmp1;
DevObjTmp1=DevObjTmp1->NextDevice;
IoDeleteDevice(DevObjTmp2);
}
}
}
//处理Win32的Create
NTSTATUS
DispatchCreate(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp)
{
DbgPrint("KS:DispatchCreate");
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//处理Win32的Close
NTSTATUS
DispatchClose(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp)
{
DbgPrint("KS:DispatchClose");
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
// 取得此IRP(pIrp)的I/O堆栈指针
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
// 取得I/O控制代码
ULONG uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
// 取得I/O缓冲区指针和它的长度
PVOID pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
ULONG uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
DbgPrint("KS:DispatchIoctl");
switch(uIoControlCode)
{
case IOCTL_SETVALUEKEY:
{
// if (uOutSize>=sizeof(VisitData))
// {
// memcpy(pIoBuffer,g_visitData,sizeof(VisitData));
// status = STATUS_SUCCESS;
// }
}break;
case IOCTL_MGRVISIT:
{
// if (pIoBuffer!=NULL)
// {
// memcpy(g_deteArray,pIoBuffer,sizeof(DeteData));
// status = STATUS_SUCCESS;
// }
// KeSetEvent(pDeteEvent,IO_NO_INCREMENT,FALSE);
}break;
case IOCTL_HOOKON:
{
// if (bHookOn==FALSE)
// {
// AllHookOn();
// }
// status = STATUS_SUCCESS;
}break;
case IOCTL_HOOKOFF:
{
// if (bHookOn==TRUE)
// {
// AllHookOff();
// }
// status = STATUS_SUCCESS;
}break;
case IOCTL_ADDARUL:
{
// RulData * rd = (RulData *)pIoBuffer;
// AddkeyList(rd->chKey,rd->szDes,rd->szOps,rd->iDan,rd->cOps);
// status = STATUS_SUCCESS;
}break;
case IOCTL_REMOVEARUL:
{
// RulData * rd = (RulData *)pIoBuffer;
// ReMoveKeyList(rd->chKey);
// status = STATUS_SUCCESS;
}break;
case IOCTL_DELALLRULS:
{
// delList();
// status = STATUS_SUCCESS;
}break;
}
if(status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;
// 完成请求
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
VOID
AllHookOn()
{
DbgPrint("HookOn");
// OldZwCreateKey = (ZWCREATEKEY)SYSCALL(ZwCreateKey);
// OldZwSetValueKey = (ZWSETVALUEKEY)SYSCALL(ZwSetValueKey);
OldRealZwCreateFile = (ZWSETVALUEKEY)SYSCALL(ZwCreateFile);
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
// (ZWCREATEKEY)(SYSCALL(ZwCreateKey)) = HookZwCreateKey;
// (ZWSETVALUEKEY)(SYSCALL(ZwSetValueKey)) = HookZwSetValueKey;
(REALZWCREATEFILE)(SYSCALL(ZwCreateFile)) = HookZwCreateFile;
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
bHookOn = TRUE;
}
VOID
AllHookOff()
{
DbgPrint("HookOff");
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
// (ZWCREATEKEY)(SYSCALL(ZwCreateKey)) = (ZWCREATEKEY)OldZwCreateKey;
// (ZWSETVALUEKEY)(SYSCALL(ZwSetValueKey)) = (ZWSETVALUEKEY)OldZwSetValueKey;
(REALZWCREATEFILE)(SYSCALL(ZwCreateFile)) = (REALZWCREATEFILE)OldRealZwCreateFile;
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
bHookOn = FALSE;
}
POBJECT GetObjByHandle(HANDLE handle)
{
POBJECT pObj = NULL;
if (handle==NULL)
return NULL;
if( ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL ) !=
STATUS_SUCCESS ) {
DbgPrint(("Error %x getting key pointer/n"));
pObj = NULL;
}
return pObj;
}
VOID FreeObj(POBJECT pObj)
{
if( pObj ) ObDereferenceObject( pObj );
}
BOOLEAN GetFullName(HANDLE handle,char * pch)
{
ULONG uactLength;
PUNICODE_STRING pustr;
ANSI_STRING astr;
POBJECT pObj;
pObj = GetObjByHandle(handle);
pustr = ExAllocatePool(NonPagedPool,1024+4);
if (pObj==NULL||pch==NULL)
return FALSE;
if (NT_SUCCESS(ObQueryNameString(pObj,pustr,512,&uactLength)))
{
RtlUnicodeStringToAnsiString(&astr,pustr,TRUE);
strcpy(pch,astr.Buffer);
}
ExFreePool(pustr);
RtlFreeAnsiString( &astr );
FreeObj(pObj);
return TRUE;
}
NTSTATUS HookZwSetValueKey
(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
)
{
// char pch[1024];
// ANSI_STRING astr;
// KeyList * pKey =NULL;
// GetFullName(KeyHandle,pch);
// pKey = FindKey(pch);
// if(pKey!=NULL)
// {
// if (pKey->cOps==2)
// return STATUS_ACCESS_DENIED;
//
// KeWaitForMutexObject(g_setValueKeyMutext,Executive,KernelMode,FALSE,0);
// RtlZeroMemory(g_visitData,sizeof(VisitData));
// g_visitData->uPID = (ULONG)PsGetCurrentProcessId();
// g_visitData->uTID = (ULONG)PsGetCurrentThreadId();
//
// RtlUnicodeStringToAnsiString(&astr,ValueName,TRUE);
// strcpy(g_visitData->subkey,astr.Buffer);
// RtlFreeAnsiString(&astr);
// strcpy(g_visitData->chkey,pch);
// g_visitData->utype = Type;
// if (DataSize<1024)
// memcpy(g_visitData->chData,Data,DataSize);
// strcpy(g_visitData->szDes,pKey->szDes);
// DbgPrint(g_visitData->szDes);
// strcpy(g_visitData->szOp,pKey->szOp);
// DbgPrint(g_visitData->szOp);
// g_visitData->iDan=pKey->iDan;
// KeSetEvent(NotifyEvent, 0, FALSE);
// KeClearEvent(NotifyEvent);
// KeWaitForSingleObject(pDeteEvent,Executive,KernelMode,FALSE,0);
// KeClearEvent(pDeteEvent);
// if (g_deteArray->cRel==1)
// {
// KeReleaseMutex(g_setValueKeyMutext,FALSE);
// return OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,
// Type,Data,DataSize);
// }
// DbgPrint("Find");
// KeReleaseMutex(g_setValueKeyMutext,FALSE);
return STATUS_ACCESS_DENIED;
// }
// else
// {
// DbgPrint("not find");
// }
// return OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,
// Type,Data,DataSize);
}
NTSTATUS HookZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength)
{
NTSTATUS rc = 0;
return rc;
}
#ifndef KEDEF_H_
#define KEDEF_H_
typedef struct _RulData
{
char chKey[1024];
char szDes[256];
char szOps[256];
unsigned int iDan;
#define KE_ASK 1//询问
#define KE_HOLDUP 2//拦截
char cOps;
}RulData;
typedef struct _StoreRulData
{
RulData rd;
char szRulName[25];
#define RUL_USEING 1//规则启用
#define RUL_DISABLE 2//规则禁用
char cStatus;//规则状态
}StoreRulData;
typedef struct _VisitData
{
ULONG uPID;
ULONG uTID;
char chkey[1024];
char subkey[256];
ULONG utype;
char chData[1024];
char szDes[256];
char szOp[256];
unsigned int iDan;
}VisitData;
typedef struct _DeteData
{
ULONG uTID;
char cRel;
}DeteData;
#endif
- HOOK 改变API函数行为
- 如何通过HOOK改变windows的API函数
- sigaction函数 - 改变信号行为
- sigaction函数 - 改变信号行为
- 利用hook改变windows系统的默认行为
- API函数头部HOOK法
- HOOK API 函数跳转详解
- 1.15使用装饰器改变函数行为
- hook API 获取或者改变数据包的实现
- hook API 获取或者改变数据包的实现
- 针对函数的多线程inline API HOOK
- 针对函数的多线程inline API HOOK
- API HOOK
- Hook API
- hook api
- hook api
- API HOOK
- Hook API
- DB29 for Linux,UNIX,and WINDOWS - section 6(DB2 SQL)
- WINCE 对话框中添加MENU
- 5.1运行时动态识别
- 已知3点,求平面方程,点到面的距离
- 关于pager-taglib的安装与使用
- HOOK 改变API函数行为
- 软件复杂度概述
- 判断点是否在线段上(C++实现)
- 计算几何常用算法概览
- DWR介绍
- The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.p
- uione的组成部分
- C#中调用Windows API的要点
- Symbian中动态改变 CBA 按钮